[OpenID] Google OpenID IDP is now live
Deron Meranda
deron.meranda at gmail.com
Wed Oct 29 19:29:17 UTC 2008
On Wed, Oct 29, 2008 at 3:19 PM, Martin Atkins <mart at degeneration.co.uk> wrote:
> Deron Meranda wrote:
>>
>> I'm not really sure of the whole point to the proposal anyway; isn't that
>> what the HTTP Accept-Language header is for?
>
> I believe the idea here is to arrange for the OP UI to appear in the same
> language as the RP regardless of how the RP determined language.
>
> However, I have before raised the concern that if I'm muddling my way
> through a site that's only available in French I'd still rather have my OP
> -- that, after all, knows more about me than the RP -- present its UI in
> English, my primary language.
This probably should go in a separate thread if it gets much longer....
First, I'm wary of the RP telling the OP how to display things. It
could open up even more phishing issues. If the RP could tell the
OP to display the login page in, say, Cherokee; then the end user
who can't read the page but sees the "ok" button is likely to grant
access when they didn't understand what they were doing. The
RP in my opinion should have a minimal amount of influence over
how the OP communicates with the end user; including the language.
The OP should either know the user's preferred language because
he's already logged in, or should use the browser's Accept-Language
header.
Now, IF, the RP did need to pass a language, couldn't that be
done by sending an HTTP Accept-Language header along
with the GET/HEAD during the XRDS discovery phase... the OP
could then potentially send back different XRDS resources based
on the language, if it wanted to.
--
Deron Meranda
More information about the general
mailing list